Zero-day attack reportedly pierces key Adobe Reader defense

Adobe investigates claim exploit for Reader X and XI being sold online.

Adobe officials say they're investigating claims of a recent attack. A newly published report claims the latest versions of the widely used Reader document viewer are under attack by exploit code that targets a previously unknown vulnerability.

The particular exploit is available in underground forums for as much as $50,000. It's significant because it pierces a security sandbox that until now has proved impervious to other online attacks, KrebsonSecurity journalist Brian Krebs reported on Wednesday. The security mechanism is designed to minimize the damage of attacks that exploit buffer overflows and other types of software bugs by isolating Web content from sensitive parts of the underlying operating system.

The vulnerability affects both Reader X and its recently introduced successor, Reader XI. And it's already incorporated into a custom version of the Blackhole Exploit Kit according to Krebs. The reporter wrote the developer behind Blackhole said he is hoping to add the exploit to the main version of the kit soon. Criminal hackers fold Blackhole into already hacked websites to give them the ability to exploit a wide variety of vulnerabilities when end users visit the sites.

In an e-mail to Ars, an Adobe spokeswoman wrote: "We saw the announcement from Group IB, but we haven't seen or received any details. Adobe [Product Security Incident Response Team] has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."

Reader's security sandbox has gone a long way in reducing the real-world exploits hitting the document viewer. An exploit that's able to work around that protection and find its way into the widely used Blackhole could be a significant step backward.

Well, I'm certainly looking forward to yet another Adobe update next time I reboot this (work) PC. I don't reboot that often but seem to have an update from them every time. It's like a little present from them.

Its probably worth running a poll on Ars to see just how many users need the advanced features offered by Reader, and how many are doing just fine with lighter PDF viewers like FoxIt and Sumatra PDF. Personally, I've used PDFs only for viewing & printing, nothing more.

Not to worry, I'm sure Adobe will fix this in the next regularly scheduled patch.

The next patch is scheduled for January 2013 I think?

/sarcasm

My job requires working with PDFs and I still don't have adobe reader installed. I don't need my pdfs to execute swf and java. I don't need them to have dynamic scripting. I'm perfectly happy with the one built into OS X and am sure I would find an alternative if I was using Windows.

Its probably worth running a poll on Ars to see just how many users need the advanced features offered by Reader, and how many are doing just fine with lighter PDF viewers like FoxIt and Sumatra PDF. Personally, I've used PDFs only for viewing & printing, nothing more.

I would put serious money on there being exploitable vulnerabilities in their code, too. Probably lower-hanging fruit, too, given their lower profile at present.

Adobe is a horrible company to do business with, and I speak from professional experience.

The latest gift from Adobe, other than being targeted for exploits and scrambling to develop a system to keep up, is that Reader X introduced embedded Flash in PDF documents. Web developers are abandoning Flash for development, particular due to mobile browsers not supporting it, so time to embed it into PDF files! The real world IT result is newer Acrobat products implement this and Reader clients pre-X(10) can't render them. Christ.

Adobe investigates claim exploit for Reader X and XI being sold online.

Reader X and XI are free products. They sell Acrobat Pro and AdobeCreatePDF separately, of course, but the "reader" part is free. Distributed online, yes. And Acrobat Pro is probably also affected and is sold online now, but...

I think that meant:

Adobe is investigating the claim of an exploit (that's being sold online) that targets Reader X and XI.

I use Linux and I switch to Okular about a few years ago. I do not have Adobe Acrobat Reader installed. People need to stop using Adobe programs for reading PDF files. Adobe Acrobat Reader is full with bugs. I will not install Adobe Acrobat Reader plug-in, so I can view PDF in my browser. I just set web browser to automatically open up a PDF file through Okular after it is done downloading.

To me, Adobe techs do not want to do the steps that is shown on their systems to figure out what it is happening. They want someone else do it for them, so Adobe should go get the Blackhole Exploit Kit if that is the deal. Also Adobe spokes person has an attitude problem.

Or Adobe could just STOP ALLOWING EXECUTABLE CODE in PDFs. What a joke.

I got tired of daily Acrobat Reader updates, removed it, and put FoxIt. It has disabled all possible executable code and scripting and I don't miss it. PDF is a document format. It's not supposed to be Silverlight II.

Not sure what all the Adobe bashing is here in the comments. Yes, they used to be atrociously bad at security, but after a complete refocus, both Flash and Acrobat appear much more solid/secure. Yes, they still release fixes, as does MS, Apple etc, but nowhere near the rate of Windows XP days.

Working with Microsoft to utilize sandbox technology significantly helped, and in a way this exploit is interesting because of how many protective measures it breaks past.

Perhaps when Microsoft employs running signed apps only everywhere (not just in the new Windows Store Apps), then we will finally see an end to these issues.

If Acrobat simply rendered PDFs this could never happen. But Adobe value-added so much other crap into Acrobat and made it do so much more than render PDFs, this security disaster is pretty much inevitable.

Adobe today = Microsoft software from late 90s. Does anyone remember when Outlook opened attachments automatically, and loaded remote images by default, and rendered HTML from unknown senders including any embedded objects or scripting? That's what Acrobat does.... but over 10 years later. Guys guys. You can't code naive software anymore.

The latest gift from Adobe, other than being targeted for exploits and scrambling to develop a system to keep up, is that Reader X introduced embedded Flash in PDF documents. Web developers are abandoning Flash for development, particular due to mobile browsers not supporting it, so time to embed it into PDF files! The real world IT result is newer Acrobat products implement this and Reader clients pre-X(10) can't render them. Christ.

Once again I find myself really glad that I use Chrome as my main pdf viewer. Beyond being far more stable, not a performance hog, much faster to start, and not showering me with adobe update messages...

Maybe it's unfair, but after the past issues with Adobe and Acrobat Reader exploits in particular, this didn't exactly come as a shock that there is apparently a hole in their sandboxing. Granted, at least now they are seriously showing some real effort, unlike before. I still don't trust them to put out a secure product, even if in all likelihood they are now doing overall quite well at it.

Every now and then I get a message in Chrome on certain PDFs saying that they have features which may require Acrobat to view fully/correctly. I haven't once actually found anything to have been actually broken, or noticed anything missing. It seems like a small price to pay. I'd rather trust the sandboxing in Chrome than what Adobe has put in a product which shouldn't be trying to mimic a web browser in the first place. As bizarrely backwards as it may be to instead resort to using a web browser to view what should be a fairly simple static document format.

This is what I don't understand. I read PDFs frequently. Maybe once in a year, I see a PDF that is a form to fill in -- and as far as I can tell, that's just so that when you print it, it's got nice printed text, instead of messy handwriting in the form fields. If there are exploits after all this time, there must be more sophisticated features available in Reader. But I've never seen them.

While it's true that Microsoft and Adobe were the worst among the worst with the security of their products, they have significantly increased the security as of late. Ok, maybe not enough on Adobe Flash, but Adobe Reader is really quite well secured.

I was using Foxit for a long time because I felt more secure, only to realize that since Adobe Reader X has been released, nobody had been able to crack the sandbox until maybe... this Ars article. And honestly, that's a very good security result from Adobe. On the other hand, alternatives like Okular, Foxit etc, are far far behind in terms of security as they don't include sandboxing mechanism, are able to run with high privileges etc. I am not saying they are bad, but just the fact that they are far behind Adobe Reader. This I realized recently.

We must open our eyes and quit bashing in an uneducated way. Yes, MS and Adobe were the worst of the worst, but now they have improved a lot and the alternatives aren't always more secure now (again, I don't count Adobe Flash as secure, that one remains bad but at least they are actively fixing bugs, which was not the case before).

I am still a Linux fan, prefer the alternatives whenever possible, but I'm just trying to be honest and admit when the big companies I used to loathe, do something good. Else I would fall on the uneducated fanboy camp and lose credibility.

Adobe investigates claim exploit for Reader X and XI being sold online.

Reader X and XI are free products. They sell Acrobat Pro and AdobeCreatePDF separately, of course, but the "reader" part is free. Distributed online, yes. And Acrobat Pro is probably also affected and is sold online now, but...

Whatever, not really misleading or anything to this audience (we get what you mean). Just technically inaccurate, and should probably be fixed.

Currently shipping would be better phrasing.

Since he meant that the exploit was being sold, perhaps, "Adobe investigates claim of Reader X and XI exploit being sold online." or even just "Adobe investigates claim of Reader exploit being sold online." would be more clear.

The only "real world" use of JavaScript in PDF that I've seen is our company's invoices that want to auto-print themselves. (The more we streamline getting paid, the better. Before PDF invoicing, we had an email-only system that some people didn't even recognize as an invoice. So much for the Paperless Office(TM).)

That said, I'm unclear on what "Reader XI" is. My Reader X 10.1.4 install claims to be up-to-date and that's the same version Adobe has on offer for fresh download--is that it, or is Reader X the last version available for Vista?

blueshifter:Acrobat's updater doesn't do major-version updates. If you've got the latest in the 8.x series installed, it won't offer an update to 9.x or anything newer, likewise if you've got 9.x you won't get updates to 10.x.

So I have no issue with Java bashing, where I do have (just a bit) with blind MS and Adobe bashing. Oh, I'm not a fan of either, I still bash them regularly! But I'm just trying to be honest and recognize their achievements in terms of security, when there are.

"Reader X and XI are free products. They sell Acrobat Pro and AdobeCreatePDF separately, of course, but the "reader" part is free. Distributed online, yes. And Acrobat Pro is probably also affected and is sold online now, but... "

It says the 'exploit' is being sold. This is what I got from the head-line and viola, it was in the article as well...

If you are in enterprise and do not treat "document" files the same way as binaries, you have already been owned top to bottom for the last 5+ years.

Don't bother looking in your logs, they already wiped their trail if they cared about discovery. Sometimes they don't in my experience, nobody noticed a DC phoning home every 5 minutes for months, so why bother cleaning up? too busy exfiltrating all your juicy data. Its not like it was hard to get in the first place...

Its probably worth running a poll on Ars to see just how many users need the advanced features offered by Reader, and how many are doing just fine with lighter PDF viewers like FoxIt and Sumatra PDF. Personally, I've used PDFs only for viewing & printing, nothing more.

I would put serious money on there being exploitable vulnerabilities in their code, too. Probably lower-hanging fruit, too, given their lower profile at present.

I completely disagree with this assessment. At least for SumatraPDF, which was initially built upon (and now an extended variant of) muPDF, both of which are open sourced software. This particular implementation has an incredibly small code footprint - the portable and all inclusive version (which is fully featured) chalks in at 4.3MB for Windows. I'm not naïve enough to pretend SumatraPDF is bulletproof, but it has many developers eyeballing the source code to find any problems. It has a very small footprint (and hence attack surface). There is no value in exploits that target open source software for the most part, because as soon as an exploit is announced/discovered, anyone, anywhere, can examine the source to find the root cause. Nobody can say the same of Acrobat/reader, because we have to just wait for Adobe to push out an update.

matthewslyman wrote:

One thing that really ticks me off about Adobe PDF Reader is that every time there's a major update, that overrides my options, so that I have to disable Adobe PDF Javascript all over again.

This, and many other signs of trouble, mean I just don't trust Adobe. As I am a software developer (and others appear to feel the same), that could ultimately spell trouble for them.

ON THIS SPECIFIC EXPLOIT: Can this be mitigated by switching off PDF Javascript? Or can this exploit be carried out by a plain vanilla PDF, on Adobe Reader?

No. In the demonstration video in the article (posted by Hinton), the demonstrator shows clearly that the sandbox and enhanced protection are enabled, and JS is disabled. It must exploit something more fundamental than the traditional low hanging fruit (active scripting).

Hinton wrote:

I read on a normal Danish news site, that it required a specific interaction with the user. Source.

It requires the user to manually close Adobe Reader by prompting the user "Do you want so save the changes?". If the user clicks "Yes", bad stuff happends.

They need to close reader. No prompts will appear unless they actively disable the sandboxing features whilst the PDF is open (which would then allow the document to be edited in any way/saved as "safe" for future use). If I open a PDF and find it isn't what I expected, the first thing I would do is close it. Seems like a very small hurdle overall.

I want to say three things:1. the best PDF support isn't always from adobe, I have a PDF that Adobe reader can't search inside (but it can select text....) and doesn't even open the properties dialog while Sumatra and Foxit can...2. until adobe reader X there was an option for GPU acceleration and it was good enough at scrolling but in XI is removed so every scroll means tearing everywhere even on my quad core... While sumatra and foxit can display large pdf smoothly on my single core atom without even touching the GPU....3. sumatra is lightweight and essential but foxit support comments, forms, javascript,... in a fast and secure way. It doesn't have a sandbox, i agree, but it doesn't have the same attack surface and everything is disabled by default in the safe reading mode, so it should be difficult to exploit....

While it's true that Microsoft and Adobe were the worst among the worst with the security of their products, they have significantly increased the security as of late. Ok, maybe not enough on Adobe Flash, but Adobe Reader is really quite well secured.

Why does a document need to run arbitrary code? I don't give a shit if it's in a sandbox or not, why does a document need to run arbitrary code?

If you can't give me a decent reason, Adobe Reader will never again be installed on my computer (and I'll do my best to discourage it's use elsewhere).

cyclistefou wrote:

ai33806 wrote:

You must not have been around here lately, you forgot "Java bashin". :-)

Well, no, I intentionnally didn't put Java in that sentence... because Java security IS bad, still.